|
| 1 | +// Copyright © 2019 BoxBoat engineering@boxboat.com |
| 2 | +// |
| 3 | +// Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | +// you may not use this file except in compliance with the License. |
| 5 | +// You may obtain a copy of the License at |
| 6 | +// |
| 7 | +// http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | +// |
| 9 | +// Unless required by applicable law or agreed to in writing, software |
| 10 | +// distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | +// See the License for the specific language governing permissions and |
| 13 | +// limitations under the License. |
| 14 | + |
| 15 | +package cmd |
| 16 | + |
| 17 | +import ( |
| 18 | + "context" |
| 19 | + "encoding/json" |
| 20 | + "fmt" |
| 21 | + "github.com/Azure/azure-sdk-for-go/profiles/2019-03-01/keyvault/keyvault" |
| 22 | + kvauth "github.com/Azure/azure-sdk-for-go/services/keyvault/auth" |
| 23 | + "github.com/spf13/cobra" |
| 24 | + "github.com/spf13/viper" |
| 25 | + "os" |
| 26 | + "text/template" |
| 27 | +) |
| 28 | + |
| 29 | +var ( |
| 30 | + initialized = false |
| 31 | + azureTenantID string |
| 32 | + azureClientID string |
| 33 | + azureClientSecret string |
| 34 | + azureKeyVaultName string |
| 35 | + azureKeyVaultClient keyvault.BaseClient |
| 36 | + azureSecretCache map[string]map[string]interface{} |
| 37 | +) |
| 38 | + |
| 39 | +func getKeyVaultClient() keyvault.BaseClient { |
| 40 | + if !initialized { |
| 41 | + authorizer, err := kvauth.NewAuthorizerFromEnvironment() |
| 42 | + HandleError(err) |
| 43 | + azureKeyVaultClient = keyvault.New() |
| 44 | + azureKeyVaultClient.Authorizer = authorizer |
| 45 | + initialized = true |
| 46 | + } |
| 47 | + return azureKeyVaultClient |
| 48 | +} |
| 49 | + |
| 50 | +func getAzureJSONSecret(secretName string, secretKey string) string { |
| 51 | + Logger.Debugf("Retrieving [%s][%s]", secretName, secretKey) |
| 52 | + |
| 53 | + if val, ok := azureSecretCache[secretName]; ok { |
| 54 | + Logger.Debugf("Using cached [%s][%s]", secretName, secretKey) |
| 55 | + secretStr, ok := val[secretKey].(string) |
| 56 | + if !ok { |
| 57 | + HandleError( |
| 58 | + fmt.Errorf( |
| 59 | + "Could not convert [%s][%s] to string", |
| 60 | + secretName, |
| 61 | + secretKey)) |
| 62 | + } |
| 63 | + return secretStr |
| 64 | + } |
| 65 | + |
| 66 | + secretResp, err := getKeyVaultClient().GetSecret( |
| 67 | + context.Background(), |
| 68 | + "https://"+azureKeyVaultName+".vault.azure.net", |
| 69 | + secretName, "") |
| 70 | + HandleError(err) |
| 71 | + secretJSON := *secretResp.Value |
| 72 | + var response map[string]interface{} |
| 73 | + json.Unmarshal([]byte(secretJSON), &response) |
| 74 | + |
| 75 | + secretStr, ok := response[secretKey].(string) |
| 76 | + if !ok { |
| 77 | + HandleError( |
| 78 | + fmt.Errorf( |
| 79 | + "Could not convert Key Vault response[%s][%s] to string", |
| 80 | + secretName, |
| 81 | + secretKey)) |
| 82 | + } |
| 83 | + if azureSecretCache[secretName] == nil { |
| 84 | + azureSecretCache[secretName] = make(map[string]interface{}) |
| 85 | + } |
| 86 | + azureSecretCache[secretName] = response |
| 87 | + return secretStr |
| 88 | +} |
| 89 | + |
| 90 | +func getAzureTextSecret(secretName string) string { |
| 91 | + Logger.Debugf("getAzureTextSecret [%s]", secretName) |
| 92 | + |
| 93 | + secretResp, err := getKeyVaultClient().GetSecret( |
| 94 | + context.Background(), |
| 95 | + "https://"+azureKeyVaultName+".vault.azure.net", |
| 96 | + secretName, "") |
| 97 | + HandleError(err) |
| 98 | + secretStr := *secretResp.Value |
| 99 | + |
| 100 | + return secretStr |
| 101 | + |
| 102 | +} |
| 103 | + |
| 104 | +// azureRegionCmdPersistentPreRunE checks required persistent tokens for azureCmd |
| 105 | +func azureCmdPersistentPreRunE(cmd *cobra.Command, args []string) error { |
| 106 | + if err := rootCmdPersistentPreRunE(cmd, args); err != nil { |
| 107 | + return err |
| 108 | + } |
| 109 | + Logger.Debugln("azureCmdPersistentPreRunE") |
| 110 | + |
| 111 | + azureTenantID = viper.GetString("tenant") |
| 112 | + azureClientID = viper.GetString("client-id") |
| 113 | + azureClientSecret = viper.GetString("client-secret") |
| 114 | + |
| 115 | + // ensure required environment variables are set |
| 116 | + os.Setenv("AZURE_TENANT_ID", azureTenantID) |
| 117 | + os.Setenv("AZURE_CLIENT_ID", azureClientID) |
| 118 | + os.Setenv("AZURE_CLIENT_SECRET", azureClientSecret) |
| 119 | + |
| 120 | + return nil |
| 121 | +} |
| 122 | + |
| 123 | +// azureCmd represents the azure command |
| 124 | +var azureCmd = &cobra.Command{ |
| 125 | + Use: "azure", |
| 126 | + Short: "Azure Commands", |
| 127 | + Long: `Commands designed to facilitate interactions with Azure`, |
| 128 | + PersistentPreRunE: azureCmdPersistentPreRunE, |
| 129 | + Run: func(cmd *cobra.Command, args []string) { |
| 130 | + cmd.Help() |
| 131 | + }, |
| 132 | +} |
| 133 | + |
| 134 | +var azureGetSecretsCmd = &cobra.Command{ |
| 135 | + Use: "get-secrets", |
| 136 | + Short: "Retrieve secrets from Azure Key Vault", |
| 137 | + Long: `Provide a go template file to request keys from Azure Key Vault |
| 138 | +
|
| 139 | +Supports sprig functions |
| 140 | +
|
| 141 | +Pass in values using --set <key=value> parameters |
| 142 | +
|
| 143 | +Example input and output: |
| 144 | +<secret-keys.yaml> |
| 145 | +--- |
| 146 | +foo: |
| 147 | + keyA: {{ (azureJson "foo" "a") | squote }} |
| 148 | + keyB: {{ (azureJson "foo" "b") | squote }} |
| 149 | + charlie: |
| 150 | + keyC: {{ (azureJson "foo-charlie" "c") | squote }} |
| 151 | +keyD: {{ (azureText "root" ) | quote }} |
| 152 | +
|
| 153 | +
|
| 154 | +<secret-values.yaml> |
| 155 | +--- |
| 156 | +foo: |
| 157 | + keyA: '<value-of-secret/foo-a-frome-azure-key-vault>' |
| 158 | + keyB: '<value-of-secret/foo-b-frome-azure-key-vault>' |
| 159 | + charlie: |
| 160 | + keyC: '<value-of-secret/foo-charlie-c-frome-azure-key-vault>' |
| 161 | +keyD: "<value-of-secret/root-from-azure-key-vault>" |
| 162 | +... |
| 163 | +`, |
| 164 | + Run: func(cmd *cobra.Command, args []string) { |
| 165 | + Logger.Debug("get-secrets called") |
| 166 | + |
| 167 | + // create custom function map |
| 168 | + funcMap := template.FuncMap{ |
| 169 | + "azureJson": getAzureJSONSecret, |
| 170 | + "azureText": getAzureTextSecret, |
| 171 | + } |
| 172 | + |
| 173 | + var files []string |
| 174 | + if len(args) > 0 { |
| 175 | + files = args |
| 176 | + } |
| 177 | + |
| 178 | + CommonGetSecrets(files, funcMap) |
| 179 | + |
| 180 | + }, |
| 181 | + PreRunE: func(cmd *cobra.Command, args []string) error { |
| 182 | + Logger.Debug("PreRunE") |
| 183 | + return ReadValuesMap() |
| 184 | + }, |
| 185 | +} |
| 186 | + |
| 187 | +func init() { |
| 188 | + rootCmd.AddCommand(azureCmd) |
| 189 | + |
| 190 | + // azure command and common persistent flags |
| 191 | + azureCmd.AddCommand(azureGetSecretsCmd) |
| 192 | + azureCmd.PersistentFlags().StringVarP( |
| 193 | + &azureTenantID, |
| 194 | + "tenant", |
| 195 | + "", |
| 196 | + "", |
| 197 | + "Azure tenant ID can alternatively be set using ${AZURE_TENANT_ID}") |
| 198 | + viper.BindEnv("tenant", "AZURE_TENANT_ID") |
| 199 | + |
| 200 | + azureCmd.PersistentFlags().StringVarP( |
| 201 | + &azureClientID, |
| 202 | + "client-id", |
| 203 | + "", |
| 204 | + "", |
| 205 | + "Azure Client ID can alternatively be set using ${AZURE_CLIENT_ID}") |
| 206 | + |
| 207 | + azureCmd.PersistentFlags().StringVarP( |
| 208 | + &azureClientSecret, |
| 209 | + "client-secret", |
| 210 | + "", |
| 211 | + "", |
| 212 | + "Azure Client Secret Key can alternatively be set using ${AZURE_CLIENT_SECRET}") |
| 213 | + |
| 214 | + viper.BindEnv("tenant", "AZURE_TENANT_ID") |
| 215 | + viper.BindEnv("client-id", "AZURE_CLIENT_ID") |
| 216 | + viper.BindEnv("client-secret", "AZURE_CLIENT_SECRET") |
| 217 | + viper.BindPFlags(azureCmd.PersistentFlags()) |
| 218 | + |
| 219 | + azureGetSecretsCmd.PersistentFlags().StringVarP( |
| 220 | + &azureKeyVaultName, |
| 221 | + "key-vault", |
| 222 | + "", |
| 223 | + "", |
| 224 | + "Azure Key Vault Name") |
| 225 | + AddValuesArraySupport(azureGetSecretsCmd, &commonValues) |
| 226 | + AddUseAlternateDelimitersSupport(azureGetSecretsCmd, &commonUseAlternateDelims) |
| 227 | + AddEditInPlaceSupport(azureGetSecretsCmd, &commonEditInPlace) |
| 228 | + |
| 229 | + AddInputFileSupport(azureGetSecretsCmd, &commonGetSecretsInputFile) |
| 230 | + AddOutputFileSupport(azureGetSecretsCmd, &commonGetSecretsOutputFile) |
| 231 | + |
| 232 | + azureSecretCache = make(map[string]map[string]interface{}) |
| 233 | +} |
0 commit comments